Java library for Dynata request-signing primitives. It provides the following:
- URL canonicalization for signing
- Signing-string generation (
SHA-256lowercase hex ofMETHOD + canonical_url + body) - Signature generation via the 3-step
HMAC-SHA256chain
It does not include an HTTP client integration layer.
Before sending signed requests you will need credentials for Dynata APIs. These consist of:
- Access key: used locally to compute the
dynata-signatureand also sent in thedynata-access-keyrequest header. - Secret key: never sent as a header; used locally to compute the
dynata-signature.
This package is published to GitHub Packages. GitHub Packages requires authentication even for read access, so you need a GitHub personal access token (classic) with the read:packages scope.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>maven-app</artifactId>
<version>1.0.0</version>
<packaging>jar</packaging>
<properties>
<maven.compiler.release>17</maven.compiler.release>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<repositories>
<repository>
<id>github-dynata</id>
<url>https://maven.pkg.github.com/dynata/dynata-sig-java</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.dynata.arch</groupId>
<artifactId>dynata-sig</artifactId>
<version>1.3.0</version>
</dependency>
</dependencies>
</project>Add a matching server entry to your Maven settings.xml (usually ~/.m2/settings.xml) so Maven can authenticate against GitHub Packages. The id must match the repository id in the pom.xml (github-dynata):
<settings>
<servers>
<server>
<id>github-dynata</id>
<username>${env.GITHUB_ACTOR}</username>
<password>${env.GITHUB_TOKEN}</password>
</server>
</servers>
</settings>Then export your credentials and build:
export GITHUB_ACTOR=your-github-username
export GITHUB_TOKEN=ghp_your_PAT_with_read:packages
cd maven-app && mvn installEach Dynata signature starts from a signing string, which is built from:
{METHOD}{URI}{BODY}
with no delimiter between segments, then hashed as SHA-256 and encoded as lowercase hex.
Use the exact HTTP method sent on the wire (GET, POST, DELETE, etc.).
Use the URI (scheme + host + path + query) in canonical form.
- Scheme: advertised scheme of the receiving application.
- Host: domain name only (do not include port).
- Path: target resource path, including the leading
/. - Query: use a canonical query string.
Canonical query construction:
- Sort parameter names by character code point ascending.
- URI-encode each name and value using RFC 3986 rules.
- Do not encode unreserved characters:
A-Z,a-z,0-9,-,_,.,~. - Percent-encode all other characters as uppercase hex (
%XY). - Encode spaces as
%20(never+). - Build pairs as
name=value, then join with&. - Use an empty string when a parameter has no value.
Use the exact body text/bytes sent with the request. Whitespace, ordering, and encoding must be preserved exactly.
After generating the signing string, compute the signature using a three-step HMAC-SHA256 chain:
- HMAC with expiration timestamp as key and signing string as message.
- HMAC with access key as key and step 1 output as message.
- HMAC with secret key as key and step 2 output as message.
Implementation notes:
- The final signing string digest is always a 64-character lowercase SHA-256 hex value.
- If there is no body, use an empty body segment.
- Use UTF-8 for all key and message conversions.
- Use lowercase hex output for each HMAC digest.
- Reuse the exact RFC3339 expiration value from the
dynata-expirationheader.